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BACKGROUND OF THE INVENTION 

Technical Field 

This invention relates to the field of user authentication and more particularly to a 
method and apparatus for secure entry of a user-identifier in a publicly positioned 
device. 

Description of the Related Art 

In todays environment, it is common for users to interact with machines which 
require that the user identify themselves in some unique way. For example, telephone 
carriers require that users enter calling card numbers. More particularly, often the user 
of a telephone calling card can be required to key in an identifier for instance a 
Personal Identification Number ("PIN"). Similarly, to authenticate the identify of a user, 
banking Automatic Teller Machines ("ATMs") require that the user provide an ATM or 
credit card to a card reader in addition to separately keying in a PIN. Finally, like ATMs 
and telephone kiosks, before granting a user access to sensitive information stored 
within a computer or workstation, the computer or workstation can require the user to 
authenticate the user's identity using a personal identification method. 

Still, the very nature of the services provided by ATMs, telephone booths and the 
like require that they be located in public places. Telephone kiosks at airports, public 
Internet terminals in libraries and Internet cafes, as well as ATM machines on the 
sidewalk in front of a building are three common examples. Additionally, like ATMs and 
telephone kiosks, often computers and workstations used to access sensitive 
information can be located in public places, for example on a user's lap in an airplane, 
on a train, or on a table in a library. 

Various security systems have been developed to address the need for privacy 
of data in public places. Well known in the industry these devices most commonly 
include password protected telephones, ATM machines, computers and computer 
programs. Additionally, systems have been developed that "lock" a computer or other 
such device until a valid identification card has been provided to a security card reader. 
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Still, even with these known security methods, it remains an easy task for a would-be 
unwanted observer to view a password as a legitimate user provides the same to the 
ATM, telephone kiosk, secure computer or workstation. In particular, if a would-be PIN 
thief has an awareness of the general sequence of prompts provided to a user by a 
personal identification method, the would-be thief can visually identify the user's 
secretive pin number from a distance by merely observing the timing, order and manner 
in which a user keys in numbers in a numeric keypad, for example. That is, although 
the PIN number may not be echoed to a screen, by observing the keystrokes of the 
user, the PIN number can become compromised. Likewise, a would-be thief can 
audibly identify the user's secretive PIN number from a distance by listening to the 
sequence of numbers spoken by the user through a telephone receiver, for example. 
By simply waiting, the would-be thief, in many cases can guess correctly which string of 
keystrokes or spoken data represent the PIN. 

Notably, the more public the location of the computer or workstation, the easier it 
becomes for an unwanted observer to view the legitimate user's password. Also, it has 
become commonplace for password pirates to fraudulently reproduce identification 
cards used to access secure devices. Thus, groups such as the banking, on-line 
computing and telephone industry have been plagued by stolen access codes and 
PINs, many of which are observed by trained thieves stationed proximate to the publicly 
positioned device, for example airport phone terminals. 
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SUMMARY OF THE INVENTION 

In many instances, it is desirable for a user to interact with a machine which 
performs user authentication. Specifically, often such machines require a user to 
perform an access validation method, typically by providing to the machine a password, 
PIN or other such user-identifier. The present invention provides an apparatus and 
methodology for shielding knowledge of the user-identifier from unauthorized users. In 
particular, the present invention can be applied to screen-based or telephone-based 
systems of interaction such as ATM machines, telephone kiosks and computer 
terminals. 

A method for secure entry of a user-identifier in a publicly positioned device 
through a personal identification method in a computing device can include establishing 
a private communications link between a user and the publicly positioned device; 
prompting the user for a combination of random data and the user-identifier; and, 
discarding the random data from the combination. In one embodiment of the invention, 
the prompting step can include separately prompting the user for random data and the 
user-identifier; and, combining the random data and the user-identifier into the 
combination. Preferably, however, the prompting step can include dividing the user- 
identifier into at least two portions; separately prompting the user for each portion of the 
user-identifier; prompting the user for random data in between the separate prompts for 
the at least two portions; and, discarding the random data and combining the at least 
two portions. In this case, the user-identifier is a combination of the at least two 
portions. 

In the preferred embodiments, the publicly positioned device can have a visual 
interface through which the user can be visually prompted for the random data and the 
user-identifier. Alternatively, the publicly positioned device can have a telephone 
interface through which the user can be audibly prompted for the random data and the 
user-identifier. In the case of a telephone interface, the establishing step can include 
connecting the user to a telephone operator system through the telephone interface. 
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Preferably, the telephone operator system can be an interactive voice response ("IVR") 
system. Alternatively, however, the telephone operator system can be a human 
telephone operator. In either case, the prompts can be audibly provided by the 
telephone operator system to the user through the telephone interface. 

By comparison, in the case of a visual interface, the establishing step can 
include linking the publicly positioned device through an encoder application to active 
glasses having a shuttered display, the shuttered display opening and closing 
responsive to synchronization pulses; synchronizing display of the prompts in the visual 
interface with the opening and closing of the shuttered display in the active glasses; 
and, displaying masking data in the visual interface between the display of the prompts. 

More particularly, the synchronizing step can include generating a sequencing 
pattern containing synchronization pulses; generating a data signal, the data signal 
comprising private data and masking data frames interspersed according to the 
sequencing pattern, the private data comprising the prompts; providing the data signal 
to the visual interface; and, opening and closing the shuttered display in the active 
glasses in accordance with the sequencing pattern. In consequence, the user viewing 
the visual interface with the active glasses can view the prompts and unauthorized 
viewers without the active glasses can view only the prompts obscured by the masking 
data. 

In one embodiment of the invention, the step of generating a data signal can 
include inserting masking data in the data signal; and, inserting the private data in the 
data signal when indicated by the synchronization pulses in the sequencing pattern. In 
another embodiment of the invention, the step of generating a data signal can include 
inserting masking data in the data signal; and, for private data forming a complete 
character or image, repeatedly inserting portions of the complete character or image 
when indicated by the synchronization pulses in the sequencing pattern until all portions 
of the complete character or image are inserted in the data signal. As a result, display 
of the data signal, as viewed by the active glasses synchronized with the display 
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according to the sequencing pattern, is a strobed display of the complete character or 
image. 

Notably, the step of opening and closing the shuttered display can occur 
responsive to synchronization pulses in the sequencing pattern. In yet another 
embodiment of the present invention, the sequencing pattern can be encoded. 
Accordingly, the step of opening and closing the shuttered display can include the steps 
of decoding the encoded sequencing pattern and, responsive to the synchronization 
pulses in the sequencing pattern, opening and closing the shuttered display. 

In yet another embodiment of the present invention, the sequencing pattern can 
correspond to alternating displays of the private data and the masking data. 
Alternatively, the sequencing pattern can correspond to combined left eye/right eye 
images of the private data. Finally, the masking data can be a fill pattern. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

There are presently shown in the drawings embodiments which are presently 
preferred, it being understood, however, that the invention is not limited to the precise 
arrangements and instrumentalities shown. 

Figure 1 is an illustration of a publicly positioned device having a visual interface 
through which the user can interact with a personal identification method in a computing 
device in accordance with the inventive arrangements. 

Figure 2 is an illustration of a publicly positioned device having a telephone 
interface through which the user can interact with a personal identification method in a 
computing device in accordance with the inventive arrangements. 

Figure 3 is a schematic diagram illustrating the relationship between the 
computing device and the active glasses, both of Figure 1 , both configured in 
accordance with the inventive arrangements. 

Figure 4 is a flow chart illustrating a preferred method for secure entry of a user- 
identifier in a publicly positioned device having a visual interface. 

Figure 5 is a flow chart illustrating a preferred method for secure entry of a user- 
identifier in a publicly positioned device having a telephone interface. 

Figures 6A-6B, taken together, are illustrations of the formation and display of a 
character using strobing techniques. 

Figures 7A and 7B illustrate initialization synchronization and data transmission 
patterns used to synchronize the active glasses with the visual display of the publicly 
positioned device of Figure 1 . 
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DETAILED DESCRIPTION OF THE INVENTION 

In order to provide enhanced security to users of computing devices which 
incorporate personal identification methods, the present invention includes an 
apparatus and methodology for shielding knowledge of a user-identifier from 
unauthorized users. In particular, the present invention can be applied both to screen- 
based or telephone-based systems of interaction such as ATM machines, telephone 
kiosks and computer terminals. In the case of a screen-based device, the system can 
combine active glasses decoding technology and prompts for randomly selected data in 
order to mask the entry of a user identifier which would be otherwise publicly viewable 
in the absence of the present invention. In the case of a telephone-based system, the 
system can combine interactive voice response ("IVR") technology and audible prompts 
for randomly selected data to mask the entry of a user-identifier which would be 
otherwise publicly viewable in the absence of the present invention. 

Figure 1 is a high level diagram illustrating the case of a screen-based system in 
which a visual interface is provided, such as a banking ATM machine. In the case of a 
visual interface, active glasses are used to decode a scrambled display screen so that 
only the wearer of the active glasses can view messages displayed on the display 
screen. A secure system in accordance with the inventive arrangements can include a 
set of active glasses, a publicly positioned device, such as an ATM, which can contain 
a computing device which can perform a personal identification method, and a data 
communications link between the active glasses and the ATM. 

As shown in Figure 1, an exemplary system can include a publicly positioned 
device, for example an ATM 10, having a display 10K and input means, for instance a 
numeric keypad 10J. This system can also include active glasses 20 having therein a 
shuttered display 20B, and a communications link 30 connecting the ATM 10 to the 
active glasses 20. Although the figure indicates a wire-based communications link, the 
invention is not limited in this regard. Rather, the communications link 30 can include 
wireless solutions as well, for example an RF or infrared link. Additionally, although 
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Figure 1 indicates that the active glasses 20 include a shuttered display 20B, the 
invention is not to be limited to shuttered lenses. Rather, equivalents to shuttered 
lenses are also contemplated by the present invention, for example lenses 
incorporating LCD technology, TFT technology, and lens polarization technology. 

The ATM 10 can further include therein a CPU 10A, a computer readable 
memory 10B, for example RAM, video output circuitry 10C for driving both the video 
display 10K and the active glasses 20, and communications circuitry 10D for 
communicatively connecting the ATM 10 to other computing devices in a data 
communications network. The ATM 10 also can include a fixed storage 10E, for 
example a hard disk drive. The fixed storage 10E can store therein an operating 
system 10F and a personal communications method 10G for performing user 
authentication. The fixed storage 10E can also include a video display driver 10H for 
commanding the video output circuitry IOC, and a display encoder 101 for coordinating 
the synchronous operation of the video display 10L and the shuttered display 20B of 
the active glasses 20. 

Notably, the display encoder 101 can provide a display signal to the video 
circuitry 10C which can contain private data interspersed among masking data so that 
unauthorized viewers who plainly view the video display 10K without the benefit of the 
active glasses 20 cannot observe the private data. Additionally, the display encoder 101 
can embed in the display signal synchronization pulses, which when decoded by the 
active glasses 20, can enable the active glasses 20 to view the private data. Thus, a 
display decoder 20A can be included with the active glasses 20 in order to decode the 
synchronization pulses contained in the data signal received from the video output 
circuitry 1 0C in order to display privately the private data in the public video display 1 0K 
through the shuttered display 208 of the active glasses 20. Finally, a security method 
10G, for example a method for authenticating a personal identification number ("PIN"), 
can be provided in a computer program with which a user can interact through a 
security method visual user interface 10L. 
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The operation of the active glasses 20 in accordance with the inventive 
arrangements is shown diagramatically in Figure 3, In the present invention, the active 
glasses 20 contain electro-optical elements typically found in active glasses, for 
example shuttered display 20B. Specifically, a shutter sequence control 21 can control 
the sequencing of the shutters in the shuttered display 20B. In addition, as discussed 
above, the active glasses 20 can include a decoder 20A for decoding encoded 
sequencing data transmitted by the computing device 10 and received by the active 
glasses 20 in receiver SOB across data communications link 30. 

In traditional 3D applications, each individual shutter of a shuttered display can 
be opened and closed in an alternating manner. The only variable, if any, associated 
with the opening and closing of the shutters is the sequencing rate. In a preferred 
embodiment of the present invention, in addition to sequencing rate considerations, the 
decoder 20A can be used to synchronize the shutters of the shuttered display 20B of 
the active glasses 20 to a specific sequence pattern. In particular, the shutters of the 
shuttered display 20B can be driven in a pattern that matches the pattern used to 
change the images in the video display 10K attached to the computing device 10. 

In operation, the video display 10K and the active glasses 20 are driven in 
synchronous operation by a specific pattern, creating in effect, a "strobe window" where 
only a portion of each character or graphic in the video display 10K are displayed for 
one or the other of the user's eyes. At the next strobe, one or the other eye is 
presented with another portion of the character or graphic. After several strobes, an 
entire character or graphic in the display will have been reproduced. The number of 
strobes required can be dependent on the number of portions or sub-characters used to 
develop an entire character on the display. 

Figures 6A and 6B, taken together, illustrate an exemplary character formed 
using the above-described strobing technique. Figure 6A illustrates a typical character 
display mechanism used in commercially available displays, well-known in the art. 
Each character in the display can be defined by a plurality of pixels 54 illuminated in a 
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display. The pixels 54 are logically grouped into a character cell 50, and within that cell, 
a smaller character box 52, The intersections of the pixels 54 on an x-y axis of the 
character box 52 represent the possible locations of pixels 54 to illuminate for this 
character. Graphics can be described in the same manner, except the "boxes" are 
larger. In Figure 6A, the character "A" is shown as it is "constructed" over the course of 
three "strobes" shown in Figure 6B as described above. Notwithstanding, the pattern, 
as shown in Figure 6B is merely an exemplary pattern. In fact, other combinations of 
pixels 54 could be chosen so long as a complete character can be formed subsequent 
to the completion of the sequencing pattern. 

Advantageously, during each strobe, data unrelated to the private data can be 
displayed in the display screen so that non-authorized users can obsen/e only public 
data. For example, a screen-saver pattern can be employed as the unrelated public 
data. In particular, referring now to Figure 3, the security method application can 
provide standard video output 15 to the display encoder 101 as it normally would in a 
computing device unmodified for the present invention. If enabled, the present 
invention can also generate a fill pattern 12 to create a public view for viewing by 
unauthorized viewers lacking the synchronized active glasses 20. Each of the standard 
video output 15 and the fill pattern 12 can be provided to the encoder application 101. 

In order to synchronize the video display 10K with the active glasses 20, the 
preferred embodiment can incorporate at least two sequencing patterns. One 
sequencing pattern simply opens or closes the shuttered lenses of the active glasses 
20 concurrently, and synchronously alternates the display between two different states. 
The first state can include the private data intended for the user. The second image 
can include masking data, for example, a different screen, a screen saver, or the 
original image offset by some physical distance. For example, the image can be shifted 
one or more characters left or right, or shifted one or more lines up or down. If the 
screen is refreshed every 10 ms, the time between refresh points remains available for 
other sequences to be initiated so that other users on other machines in the same 
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proximity can have their own private data views enabled. The latter method can prove 
useful for moderate levels of privacy and security. 

A second sequencing pattern can include a specific combination of left eye/right 
eye images that can permit only the user to see each character on the screen. This 
second sequencing pattern can be more complex than the first sequencing pattern 
since the timing of the sequencing pattern and the sequencing of each left eye/right eye 
image can be variable. Nevertheless, in either case, without the specific sequencing 
information, the projected images will be unreadable to unauthorized users. 
Significantly, the projected images can be unreadable to unauthorized user having 
active glasses but lacking knowledge of the specific sequencing information. 

In order to coordinate the specific sequencing of the display with the alternating 
action of the active glasses 20, the encoding application 101 can be employed. The 
encoding application 101, which implements a sequencing pattern encoding algorithm, 
preferably incorporates a random number as a seed for the encoding algorithm. The 
encoding algorithm can set the display device driver 10H and active glasses shutter 
sequence control 21 to a corresponding sequencing pattern. Advantageously, any 
popular encoding algorithm can be used in the sequencing pattern, so long as the 
algorithm can produce flicker-free operation. 

Specifically, a set of guidelines exists for presenting different images in each eye 
while minimizing perceived flicker and eyestrain. Typical implementations employ a 
120 Hz refresh rate, or as close to 120 Hz as possible according to the associated 
display's capability. However, because there are a number of monitors incapable of 
accommodating a 120 Hz refresh rate, a refresh rate adjustment utility can be provided 
to adjust and test the refresh rate setting whenever either a user selects a new 
resolution or connects a different display to the computer. 

For example, at higher resolutions - i.e. 1024x768 and greater - a 100 Hz or 
105 Hz refresh rate can accommodate a wide variety of displays that may not have a 
video bandwidth capable of coping with a 120 Hz refresh rate. Still, when the refresh 
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rate falls below 120 Hz, the alternating pattern can become increasingly more 
noticeable. In particular, as the refresh rate falls below 90 Hz, flicker can become more 
apparent and may be problematic for some users. In contrast, for refresh rates above 
90 Hz, flicker can be noticeable but not objectionable. Hence, refresh rates falling 
below 90 Hz preferably are avoided. 

In order to properly synchronize the video display 10K and the active glasses 20 
in a secure manner, a random cycle time between strobe cycles can be chosen and 
inserted into the synchronization signal. In order to encode a synchronization signal 
with a random cycle time, the encoder application 101 can obtain a seed from random 
number generator 1 1 in order to create a random cycle time for use in synchronizing the 
video display 10K and the active glasses 20. Specifically, as discussed in further detail 
herein, the seed can provide a foundation for delaying the display of privately viewable 
data in a subsequent strobe cycle, in between which the fill pattern will be inserted, and 
a public view therefore displayed. 

The encoder application 101 can generate a display signal 16 having the fill 
pattern 12 and interspersed therein according to the sequencing pattern of the 
synchronization signal, private data included in the standard video output 15. 
Concurrently, the encoder application 101 can generate a data sync signal 13 for 
synchronizing the active glasses 20 with the video display 10K. The video display 
device driver 10H can receive the display signal 16 while a data sync generator 14 can 
receive the data sync signal 13. 

Initially, the video display device driver 10H, using the data sync generator 14, 
can initialize the active glasses 20 by transmitting through transmitter 30A, an 
initialization sync signal (not shown) to the active glasses 20. Subsequently, the video 
display device driver 10H can pass the data sync signal 13 to the active glasses 20 and 
the combined signal 17 to the video display 10K. By synchronizing the action of the 
shuttered display 20B using the data sync signal 13, the user can view only the portions 
of private data shown during the strobe (e.g. unmasked) cycles. The visual persistence 
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of the user's eyes can integrate the strobed portions of private data into a unified, 
privately viewed image, secure fronn viewing by unauthorized users. Hence, the active 
glasses 20 can provide the user a private view of the data sinriultaneous to which an 
unauthorized viewer can see only the public pattern composed of the fill pattern 12 
combined with the private view on the video display 10K. 

Figures 7A and 7B illustrate communications protocols which can be used for 
communications between the computing device 10 and the active glasses 20. One 
skilled in the art will recognize however, that the protocols described herein are only 
exemplary of many protocols that could be equally and operatively employed. The 
important aspects of any protocol include the support for the initial synchronization of 
the computing device 10 and active glasses 20 with the random seed, and the support 
for the transmission of the continuing synchronization between the computing device 10 
and the active glasses 20. Specifically, in the preferred embodiment, a user having a 
data communications link 30, preferably wireless, between the computing device 10 
and the active glasses 20 can turn away from the video display 10K, lose a 
communications connection across the data communications link 30, turn back to the 
video display 10K and regain the communications connection. In addition, the 
continuing synchronization can eliminate the need for the active glasses 20 to maintain 
an accurate timer during the sequencing operation. 

As shown in figures 7A and 7B, the preferred embodiment can include two 
protocols, an initialization protocol and a data transmission protocol. As shown in figure 
7A, the initialization protocol can initialize the active glasses 20 using the same seed 
used by the computing device 10 to encode the shutter sequence in a data sync signal 
13. Notably, as discussed above, the data sync signal 13 is merely an encoded shutter 
sequence and not the standard video output 15. Rather, video output 15 can be 
combined with the fill pattern 12 and thereby hidden on the video display 10K. The 
active glasses 20 can be initialized by a short burst, preferably one second or less, that 
transmits a data sync pattern for establishing communications between the computing 
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device 10 and the active glasses 20. and the seed pattern itself. Notably, as is well 
known in the art of data communications, the data sync pattern can be any pattern 
based on the error characteristics of the data communications link. 

As shown in figure 7A, the initialization protocol preferably can be broadcast as a 
burst in order to prevent other proximate receivers from receiving and decoding the 
seed pattern. Still, the user preferably can add additional security by ensuring that no 
other active glasses in the area are being initialized at the same time. In the case of an 
infrared data communications link, the user can simply shield the transmitter and 
receiver path with the user's hand for the duration of the burst. Alternatively, in the 
case of an RF link, a serial number can be stored in a fixed memory in the active 
glasses 2. In consequence, the encoding application can use the serial number as part 
of the seed pattern so that only corresponding active glasses can decode the seed 
pattern. 

Figure 7B also illustrates a data transmission protocol. The data transmission 
protocol, like the initialization protocol, can include a broadcast of a data sync pattern 
and a data pattern. The data sync pattern may be the same or different than the 
initialization sync pattern. In fact, the data sync pattern can be eliminated if an 
encoding pattern, for example NRZ or NRZI, is used in the data communications link to 
denote timing data to be extracted by the active glasses. Still, since the data pattern is 
an encoded shutter synchronization pattern for the active glasses 20 to decode and 
apply, in incorporating a data sync pattern it is possible to further enhance security. 

For example, notably each data pattern can differ so the shutter sequence can 
be continuously varied. The decoder 20A residing on the active glasses 20 simply can 
apply the new synchronization pattern, decoded in each data sync frame. Further 
security can be incorporated by varying the durations of each data sync frame. As a 
result, in broadcasting several synchronization patterns of differing length between 
each data sync, the active glasses decoder 20A can still extract the synchronization 
pattern as a continuous stream of left eye/right eye shutter actions. 
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Figure 4 is a flow chart illustrating a method for secure entry of a user-identifier in 
a publicly positioned device wherein the device has a visual interface through which the 
user can interact with a personal identification method in a computing device. As 
shown in Figure 4, the publicly positioned device is assumed to be an ATM for use with 
wire-linked active glasses. Notwithstanding, the invention is limited neither to the ATM 
nor the wire-linked active glasses. Rather, the publicly positioned device can be a 
computer having a visual display, for example. Additionally, the active glasses can be 
wirelessly bound to the device. 

Using the ATM with wire-linked glasses example, the user can attach the active 
glasses to the ATM by inserting a suitable active glasses connector to a suitable 
connector receptacle in the ATM. In step 100, the insertion of the active glasses can be 
detected. Subsequently, the user can insert or swipe an ATM card through an ATM 
magnetic card reader. In step 102, the ATM can detect the insertion of the ATM card. 
Subsequently, in step 104, the ATM machine can transmit to the active glasses an 
encoding seed based on the users account number which can be read from the storage 
on the ATM card, for example a magnetic strip or bar code. Alternatively, the active 
glasses can contain a pre-programmed seed based on a password selection so that the 
active glasses can be matched immediately. Once the opening and closing of the 
shuttered lenses in the active glasses have been synchronized with the display of 
private data in the video display of the ATM machine, the transfer of private data can 
commence. 

In particular, in step 1 14, the user can interact with the personal identification 
method through a series of prompts. Specifically, in step 106, the ATM can prompt the 
user for the first X digits of the user's PIN. The value X can be any value consonant 
with the length of the PIN. For example, for a six digit PIN, X can be any number less 
than six. Likewise, for a ten digit PIN, X can be any number less than ten. 
Subsequently, in step 108, the ATM can compute a random number using random 
number generation techniques well known in the art. Significantly, the length of the 
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random number, itself can be random. Once a random number has been computed, 
the user can be prompted to key in the random number in step 110, Finally, the user 
can be prompted to supply the remaining portion of Y digits of the user's PIN in step 
112. However, the invention is not limited to merely the bifurcation of a PIN into X and 
Y portions. Rather, the method of the invention can be extended to any number of 
portions so long as the number of prompts for PIN portions does not exceed the 
number of digits in the PIN and so long as at least one randomly generated value is 
interspersed among the PIN portions. 

In step 116, the ATM can extract the random data from the series of portions of 
the PIN. In addition, the ATM can combine each portion of the PIN to form the 
complete PIN. In step 118, the ATM can determine whether the PIN is valid for the 
user as identified by the ATM card. If the ATM fails to validate the PIN, the user can be 
notified in step 120 and the user can be given an opportunity to repeat the entry of the 
PIN. Otherwise, in step 122, the user can be granted access to the ATM. 

In the preferred embodiment, the ATM can simultaneously display a screen 
prompting the user both to enter the user's PIN in addition to prompting the user for 
randomly generated data. For example, assuming the PIN number 1234, the ATM can 
privately display to a user wearing active glasses, "Enter the first two digits of your PIN, 
followed by 765', followed by the last 2 digits of your PIN". Once the user has entered 
each portion of the PIN and the random number 765', the ATM can discard the random 
number leaving the original PIN 1234. Notably, only the user wearing matching active 
glasses can see the screen display to know the value of the random number and the 
sequence in which to insert the random number. Unauthorized observers can observe 
merely 1276534 being entered, and will remain unable to determine which portion of 
the sequence is the actual PIN. 

As noted above, the method of the invention can also be performed in a publicly 
positioned computing having a telephone interface rather than a visual interface. 
Figure 2 is a high level diagram illustrating the case of a telephone-based system in 
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which a telephone interface is provided, such as an IVR system, for facilitating the 
placement of a calling card telephone call or for facilitating telephonic access to on-line 
information. In the case of a telephone interface, a user can establish a 
communications link privately with the IVR system (or any suitable telephone operator 

5 system) through a private telephone link. In this case, a secure system in accordance 
with the inventive arrangements can include a publicly positioned device, such as a 
telephone kiosk, an IVR system which can contain a computer program for performing a 
personal identification method, and a telephonic communications link between the 
telephone kiosk and the IVR system. Notably, a human operator can be substituted for 

10 the IVR system in which case the human operator can provide the necessary audible 
prompts to a user of the secure system. 

As shown in Figure 2, an exemplary system can include a publicly positioned 
computing device, for example a telephone kiosk 41 and an IVR system 40. The 
telephone kiosk 41 can be communicatively connected to the IVR over communications 

15 link 31 . Notably, the communications link 31 can be a traditional POTS link, a wireless 
communications link, for example an RF link, or any other suitable link through which 
telephony can occur. The IVR system 40 can further include therein a CPU 40A, a 
computer readable memory 40B, for example RAM, a telephony interface 40H for 
establishing and maintaining a telephonic connection across the communications link 

20 31 with the telephone kiosk 41 , and communications circuitry 40D for communicatively 
connecting the IVR system 40 to other computing devices in a data communications 
network. The IVR system 40 also can include a fixed storage 40E, for example a hard 
disk drive. The fixed storage 40E can store therein an operating system 40F and a 
personal identification method for performing user authentication, referred to in Figure 2 

25 as security method 40G. The fixed storage 40E also can include a text to speech 

("TTS") engine for converting computer produced text to audible speech, and a speech 
recognition engine 401 for converting speech provided through the telephony interface 
40H into computer readable text. 
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Figure 5 is a flow cliart illustrating a method for secure entry of a user-identifier in 
a personal identification method in a publicly positioned device wherein the device has 
a telephone interface through which the user can audibly interact with the personal 
identification method. As shown in Figure 5, the publicly positioned device is assumed 
to be a telephone kiosk for connection with a telephone operator system for instance an 
IVR system or a human operator. Notwithstanding, the invention is limited neither to 
the telephone kiosk nor the telephone operator system. Rather, the publicly positioned 
device can be a cellular telephone or an RF radio with an in-ear receiver, for example. 
Additionally, the telephone kiosk can audibly communicate with any suitable substitute 
for an IVR or a human telephone operator, for instance a computer having a telephony 
interface. 

Beginning in step 200 the user can establish a private connection to an IVR 
system by dialing a phone number suitable for connecting the user to a telephony 
interface in the IVR system through a telephone kiosk. The IVR system can receive the 
telephone call from the user. Subsequently, in step 202, the user can interact with the 
personal identification method through a series of prompts. Specifically, in step 204, 
the IVR system can prompt the user for the first X digits of the user's PIN. As before, 
the value X can be any value consonant with the length of the PIN. Subsequently, in 
step 206, the IVR system can compute a random number using random number 
generation techniques well known in the art. Significantly, the length of the random 
number Itself can be random. 

Once a random number has been computed, the user can be prompted to key in 
the random number in step 208. Finally, the user can be prompted to supply the 
remaining portion of Y digits of the user's PIN in step 210. However, as before, the 
invention is not limited to merely the bifurcation of a PIN into X and Y portions. Rather, 
the method of the invention can be extended to any number of portions so long as the 
number of prompts for PIN portions does not exceed the number of digits in the PIN 
and so long as at least one randomly generated value is interspersed among the PIN 

QBWPBM 59093.1 1 8 



6169-135 

portions. 

In step 212, the IVR system can extract the random data from the series of 
portions of the PIN. In addition, the IVR system can combine each portion of the PIN to 
form the complete PIN. In step 214, the IVR system can determine whether the PIN is 
a valid PIN. If the IVR system fails to validate the PIN, the user can be notified in step 
216 and the user can be given an opportunity to repeat the entry of the PIN. Otherwise, 
in step 218, the IVR system can grant the user access to target services. 

As an example, the method of the invention can be applied to the use of calling 
cards to access telephone service on telephones. In the preferred method of the 
invention, the user first dials the access number. Subsequently, the user's telephone 
call can be answered by a telephone operator system. While the telephone operator 
system can include an IVR machine for providing automated prompts to the user, the 
invention is not so limited and the telephone operator system could include a human 
telephone operator for providing verbal prompts to the user. In any case, the user can 
be prompted to first "enter the called number". Having entered the called number, the 
user can be prompted to enter a first portion of the calling card number. A second 
prompt asks the user to enter a specified random number. The third prompt requests 
the user to enter the remainder of the calling card number. As before, the sequence 
can be modified to allow more than one random number insertion sequence, as well as 
varying random number lengths. 

For a typical fourteen digit calling card, where the digit fields are three digits, 
three digits, four digits, four digits, an example could be: 

enter the first two digits of your calling card number; 

enter the number 463 (randomly selected and spoken by the IVR system); 

enter the last twelve digits of your calling card number. 
Many other combinations are possible using the same methodology. The carrier knows 
the random number used for this specific call, removes it form the total digit string 
collected, and the remaining numbers are the original calling card number. An 

QBWPB\1 59093.1 1 9 



6169-135 

observer, even knowing the digit field layout (3,3,4,4) would not be able to extract a 
useable number from observing the keyed sequence. For even greater security each 
call can use a different random number, random length of inserted number, and a 
different (random) placement of the inserted sequence. 

Thus, the present invention provides an apparatus and methodology for 
shielding knowledge of a user-identifier (be it a PIN, calling card number or other user- 
identifier) from unauthorized viewers. In particular, the present invention can be applied 
both to screen-based or telephone-based systems of interaction such as ATM 
machines, telephone kiosks and computer terminals. In the case of a screen-based 
device, the system can combine active glasses decoding technology and prompts for 
randomly selected data in order to mask the entry of a user identifier which would be 
otherwise publicly viewable in the absence of the present invention. In the case of a 
telephone-based system, the system can combine interactive voice response ("IVR") 
technology and prompts for randomly selected data to mask the entry of a user- 
identifier which would be othenA/ise publicly viewable in the absence of the present 
invention. 

Notably, the method of the invention can be realized in hardware, software, or a 
combination of hardware and software. Machine readable storage according to the 
present invention can be realized in a centralized fashion in one computer system, or in 
a distributed fashion where different elements are spread across several interconnected 
computer systems. Any kind of computer system or other apparatus adapted for 
carrying out the methods described herein is acceptable. A typical combination of 
hardware and software could be a general purpose computer system with a computer 
program that, when being loaded and executed, controls the computer system such 
that it carries out the methods described herein. The present invention can also be 
embedded in a computer program product which comprises all the features enabling 
the implementation of the methods described herein, and which when loaded in a 
computer system is able to carry out these methods. A computer program in the 
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present context can nnean any expression, in any language, code or notation, of a set of 
instructions intended to cause a systenn having an information processing capability to 
perform a particular function either directly or after either or both of the following: (a) 
conversion to another language, code or notation; and (b) reproduction in a different 
material form. 



QBWPBM 59093.1 



21 



6169-135 

CLAIMS 

1 . A method for secure entry of a user-identifier in a publicly positioned device 
comprising the steps of: 

establishing a private communications link between a user and the publicly 
positioned device; 

prompting said user for a combination of random data and the user-identifier; 

and, 

discarding said random data from said combination. 

2. The method of claim 1 , wherein said prompting step comprises the steps of: 
separately prompting said user for said random data and the user-identifier; and, 
combining said random data and the user-identifier into said combination. 

3. The method of claim 1 , wherein said prompting step comprises the steps of: 
dividing the user-identifier into at least two portions; 

separately prompting said user for each portion of the user-identifier; 

prompting said user for random data in between said separate prompts for said 
at least two portions; and, 

discarding said random data and combining said at least two portions, wherein 
the user-identifier comprises a combination of said at least two portions. 

4. The method of claim 1 , wherein the publicly positioned device has a visual 
interface through which said user can be visually prompted for said random data and 
the user-identifier. 

5. The method of claim 1 , wherein the publicly positioned device has a telephone 
interface through which said user can be audibly prompted for said random data and 
the user-identifier. 
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6. The method of claim 4, wherein said establishing step comprises: 

linking the publicly positioned device through an encoder application to active 
glasses having a shuttered display, said shuttered display opening and closing 
responsive to synchronization pulses; 

synchronizing display of said prompts in said visual interface with said opening 
and closing of said shuttered display in said active glasses; and, 

displaying masking data in said visual interface between said display of said 
prompts. 

7. The method according to claim 6, wherein said synchronizing step comprises the 
steps of: 

generating a sequencing pattern containing synchronization pulses; 

generating a data signal, said data signal comprising private data and masking 
data frames interspersed according to said sequencing pattern, said private data 
comprising said prompts; 

providing said data signal to said visual interface; and, 

opening and closing said shuttered display in said active glasses in accordance 
with said sequencing pattern, 

whereby said user viewing said visual interface with said active glasses can view 
said prompts and unauthorized viewers without said active glasses can view only said 
prompts obscured by said masking data. 

8. The method according to claim 7, wherein said sequencing pattern is encoded. 

9. The method according to claim 7, wherein said step of generating a data signal 
comprises the steps of: 

inserting masking data in said data signal; and, 

inserting said private data in said data signal when indicated by said 
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synchronization pulses in said sequencing pattern. 

10. The method according to claim 7, wherein said step of generating a data signal 
comprises the steps of: 

inserting masking data in said data signal; and, 

for private data forming a complete character or image, repeatedly inserting 
portions of said complete character or image when indicated by said synchronization 
pulses in said sequencing pattern until all portions of said complete character or image 
are inserted in said data signal, 

whereby display of said data signal, as viewed by said active glasses 
synchronized with said interface according to said sequencing pattern is a strobed 
display of said complete character or image. 

1 1 . The method according to claim 7, wherein said step of opening and closing said 
shuttered display comprises the step of, responsive to synchronization pulses in said 
sequencing pattern, opening and closing said shuttered display. 

12. The method according to claim 8, wherein said step of opening and closing said 
shuttered display comprises the steps of: 

decoding said encoded sequencing pattern; and, 

responsive to said synchronization pulses in said sequencing pattern, opening 
and closing said shuttered display. 

13. The method according to claim 7, wherein said sequencing pattern corresponds 
to alternating displays of said private data and said masking data, 

14. The method according to claim 7, wherein said sequencing pattern corresponds 
to combined left eye/right eye images of said private data. 
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15. The method according to claim 7, wherein said masking data is a fill pattern. 

16. The method according to claim 3, wherein said establishing step comprises the 
step of: 

connecting said user to a telephone operator system through said telephone 
interface, 

said prompts audibly provided by said telephone operator system to said user 
through said telephone interface. 

17. The method according to claim 16, wherein said telephone operator system is an 
interactive voice response ("IVR") system. 

18. The method according to claim 16, wherein said telephone operator system is a 
human telephone operator. 

19. A machine readable storage, having stored thereon a computer program for 
secure entry of a user-identifier in a publicly positioned device, said computer program 
having a plurality of code sections executable by a machine for causing the machine to 
perform the steps of: 

establishing a private communications link between a user and the publicly 
positioned device; 

prompting said user for a combination of random data and the user-identifier; 

and, 

discarding said random data from said combination. 

20. The machine readable storage of claim 19, wherein said prompting step 
comprises the steps of: 

separately prompting said user for said random data and the user-identifier; and, 
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combining said random data and tlie user-identifier into said combination. 

21. The machine readable storage of claim 19, wherein said prompting step 
comprises the steps of: 

dividing the user-identifier into at least two portions; 

separately prompting said user for each portion of the user-identifier; 

prompting said user for random data in between said separate prompts for said 
at least two portions; and, 

discarding said random data and combining said at least two portions, wherein 
the user-identifier comprises a combination of said at least two portions. 

22. The machine readable storage of claim 19, wherein the publicly positioned 
device has a visual interface through which said user can be visually prompted for said 
random data and the user-identifier. 

23. The machine readable storage of claim 19, wherein the publicly positioned 
device has a telephone interface through which said user can be audibly prompted for 
said random data and the user-identifier. 

24. The machine readable storage of claim 22, wherein said establishing step 
comprises: 

linking the publicly positioned device through an encoder application to active 
glasses having a shuttered display, said shuttered display opening and closing 
responsive to synchronization pulses; 

synchronizing display of said prompts in said visual interface with said opening 
and closing of said shuttered display in said active glasses; and, 

displaying masking data in said visual interface between said display of said 
prompts. 
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25. The machine readable storage of claim 24, wherein said synchronizing step 
comprises the steps of: 

generating a sequencing pattern containing synchronization pulses; 

generating a data signal, said data signal comprising private data and masking 
data frames interspersed according to said sequencing pattern, said private data 
comprising said prompts; 

providing said data signal to said visual interface; and, 

opening and closing said shuttered display in said active glasses in accordance 
with said sequencing pattern, 

whereby said user viewing said visual interface with said active glasses can view 
said prompts and unauthorized viewers without said active glasses can view only said 
prompts obscured by said masking data. 

26. The machine readable storage of claim 25, wherein said sequencing pattern is 
encoded. 

27. The machine readable storage of claim 25, wherein said step of generating a 
data signal comprises the steps of: 

inserting masking data in said data signal; and, 
inserting said private data in said data signal when indicated by said 
synchronization pulses in said sequencing pattern. 

28. The machine readable storage of claim 25, wherein said step of generating a 
data signal comprises the steps of: 

inserting masking data in said data signal; and, 

for private data forming a complete character or image, repeatedly inserting 
portions of said complete character or image when indicated by said synchronization 
pulses in said sequencing pattern until all portions of said complete character or image 
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are inserted in said data signal, 

whereby display of said data signal, as viewed by said active glasses 
synchronized with said visual interface according to said sequencing pattern is a 
strobed display of said complete character or image. 

29. The machine readable storage of claim 25, wherein said step of opening and 
closing said shuttered display comprises the step of, responsive to synchronization 
pulses in said sequencing pattern, opening and closing said shuttered display. 

30. The machine readable storage of claim 26, wherein said step of opening and 
closing said shuttered display comprises the steps of: 

decoding said encoded sequencing pattern; and, 

responsive to said synchronization pulses in said sequencing pattern, opening 
and closing said shuttered display. 

31 . The machine readable storage of claim 25, wherein said sequencing pattern 
corresponds to alternating displays of said private data and said masking data. 

32. The machine readable storage of claim 25, wherein said sequencing pattern 
corresponds to combined left eye/right eye images of said private data. 

33. The machine readable storage of claim 25, wherein said masking data is a fill 
pattern. 

34. The machine readable storage of claim 23, wherein said establishing step 
comprises the step of: 

connecting said user to a telephone operator system through said telephone 
interface, 



QBWPB\1 59093.1 



28 



6169-135 

said prompts audibly provided by said telephone operator system to said user 
through said telephone interface. 

35. The machine readable storage according to claim 34, wherein said telephone 
operator system is an interactive voice response ("IVR") system. 

36. The machine readable storage according to claim 34, wherein said telephone 
operator system is a human telephone operator. 
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ABSTRACT 

A method for secure entry of a user-identifier in a publicly positioned device can 
include establishing a private communications link between a user and the publicly 
positioned device; dividing the user-identifier into at least two portions; separately 
prompting the user for each portion of the user-identifier; prompting the user for a 
combination of random data and the user-identifier; and, discarding the random data 
from the combination. In the preferred embodiments, the publicly positioned device can 
have a visual interface through which the user can be visually prompted for the random 
data and the user-identifier. Alternatively, the publicly positioned device can have a 
telephone interface through which the user can be audibly prompted for the random 
data and the user-identifier. In the case of a visual display, the private communications 
link can be established by linking the publicly positioned device to active glasses having 
a shuttered display. The opening and closing of the shuttered display can be 
synchronized with the display of the prompts in the visual interface such that only the 
wearer of the active glasses can view the prompts. In the case of a telephone 
interface, an telephone operator system, for example an Interactive Voice Response 
system or a human operator, can provide the prompts audibly through the telephone 
interface. 
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